Establishing Digital Trust: Don't Sacrifice Security for Convenience
A funny thing can happen when you accept a “friend” request on Facebook. You can get back in touch with an old high school buddy. You can get a look at your sister’s latest baby pictures. Or you could end up in jail.
That’s exactly what happened to Rod Coronado earlier this summer, when he was sentenced to four months in prison after he did nothing more noisome than accepting one of those pesky friend pings on Facebook.
The details of the case offer a little insight and, hopefully, a glimmer of hope for you and me that we won’t meet the same fate: Coronado, an environmental and animal rights activist, was already on probation for prior crimes, and the friend request he accepted was from Mike Roselle, a former Greenpeace director. Coronado’s probation officer said that Coronado’s virtual friendship with Roselle was the equivalent of consorting with known criminals, a definitive no-no in the probation world.
That, of course, is the catch: There’s no evidence that Coronado ever met Roselle in person, or in fact ever knew him at all. Facebook makes such random connections simple – and in fact it readily encourages them. Take a look at your own friends list on Facebook and you’ll probably find more than a few people there who you’ve never met.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
As well, you will probably find people whose name means nothing to you at all. Perhaps someone you met at a party years ago and have long since forgotten. An old elementary school chum you can’t remember at all, but who was friends with all the school buddies you do remember, so you felt guilty about not accepting his friend request. Or perhaps among your Facebook “friends,” there really is a complete stranger who added you by mistake and you, thinking the name sounded familiar, accepted the request. Maybe you accidentally clicked “accept” instead of “ignore.” Maybe it’s just a spam account. Who knows?
The point is that, try as we might to keep our online and social networking identities private and secure, they are increasingly meaningless and cluttered with junk. But as the case of Rod Coronado shows, that junk can have consequences.
Social networking without a safety net
Coronado certainly isn’t alone in being negatively impacted by Facebook and other social network activity. It’s now almost commonplace that students who post evidence of illegal activity (usually alcohol or drugs) on pages accessible to school administration face disciplinary action for their wrongdoing, based solely on the evidence that they themselves have provided. Employees are regularly terminated for updating their Facebook status (“Having a blast at the beach!”) when they claim to be taking a sick day. Gang members have been linked to one another through the “follow” history of their Twitter accounts – a medium growing in popularity as a communication system for the criminal underground.
Now the question must be asked: What impact might otherwise innocent Facebook activity have on corporate endeavors, criminal or otherwise?
Consider a scenario where a manager at your company accepts a friend request from a competitor. All in the name of collegiality, of course. Perhaps the two met at a trade show or conference, or maybe they worked together at an old company. Now let’s say there are allegations of price fixing in your industry, perhaps leveled primarily at other companies, including the competitor mentioned above. Could your company get wrapped up in said investigation simply because of the possibility of impropriety, thanks to the link between the two managers in our little example? Absolutely.
But there are far more grounded, real-world reasons to be concerned about such connections. What about headhunters in the employ of your competition: A single friend request can open the door to your company, giving that headhunter a way to figure out who else might be worth approaching to poach, since it’s common for co-workers to be friends on Facebook. Heck, Facebook even makes it easy by automatically lumping employees at the same company together into formal networks, which can be browsed as easily as a telephone directory.
What about the social networking ramifications of Facebook accounts: Finding a birthday, hometown, and other personal information (even the inimitable mother’s maiden name) is trivial with Facebook. Does your IT department use any of this information as part of a remote password reset program?
Think about how much an absolute stranger can find out about your staff through a simple friend request. The possibilities are limitless.
Dealing with such challenges is daunting, to say the least, but the good news is you’re not alone. Every company has to grapple with social networks and the new risks they introduce.
Give good guidance
The first step is, as always, policy. Employees need to know what kind of behavior is and is not appropriate on Facebook and other social networks, and management needs to make clear that an employee’s personal life may be fair game for sharing, but that business endeavors are certainly not. Clear rules about how these networks can be used need to be laid out and communicated clearly to staff. Some companies may have to go further. Certain employees in sensitive areas of the company may be forbidden from setting up social networking accounts at all, or at least prohibited from making them publicly viewable.
If problems arise or seem remotely likely, the company may have to move on to more serious measures, such as blocking access to these sites from the office as a measure of protection. You may not be able to stop employees from accessing them, but at least you can prevent them from doing so while they’re on the job.
Christopher Null writes about technology extensively for Wired, PC World, and Maximum PC. He was the founder and Editor-in-Chief of Mobile PC magazine and spent four years blogging about tech daily for Yahoo! You can find his running commentary at chrisnull.com.
Follow eSecurityPlanet on Twitter @eSecurityP.